Senior management’s security hypocrisy on show

Profile picture for user mbanks By Martin Banks July 3, 2018
Bosses are happy to blame young employees for most of the security flaws that occur, they are more guilty of perpetrating the problems themselves much of the time.

Meter Hypocrisy
An interesting survey from Centrify caught my eye on the basis that it Flags up some valuable lessons for many a CIO – and indeed most C-level company bosses.

The results highlight the pace of technology change with the consequence, apparently, that most security decision makers are increasingly wide of the mark in assessing the young cohorts now coming through as employees.

It is an issue that faces us all in the end. When I started in journalism a notebook, pen, and Olivetti portable manual typewriter were state-of-the-art technology; now I have grandchildren who happily patronise the hell out of me and my skills with social media and online games.

Yet the survey, Security, Privacy and the next-generation workforce ,clearly demonstrates that senior managers have serious levels of concern and distrust about the skills, capabilities and motivations of young employees.

It also shows that there is a significant level of `do as I say not as I do’ being displayed by those managers, with the evidence presented suggesting they are far more likely to actually do the things they suspect the young will at the drop of a hat.

The survey was conducted for Centrify by Censuswide. in two parts, earlier this year. One questioned 1,000 UK office workers aged 18 to 24 who spent at least 25% of their time in the office. The second part questioned 500 senior decision makers in the UK who also spent at least 25% of their working life in the office.

The young…….Bah humbug!

Its most unsurprising findings centre on what the ‘old’ think about the ‘young’, particularly when it comes to the apparently cavalier attitudes the latter have towards the issue of security. For example, 35% of managers expressed concern that younger workers place too much trust in technology, while 30% felt they share data far too easily.

The latter observation is quite possibly true, but the other side of that coin is that they have already developed a strong sense of peer-group commonality, where sharing problems and giving advice stretches far wider than just operating between personal friends. And in a world where collaborative, cloud-based service provision and use can only get more common, maybe that is a better mindset than the currently-dominant, anally-retentive capitalist view that everyone else is a probable competitor or enemy than a partner.

Social media is also seen as a huge security problem – and also one with much potential to be that grandchild/video games scenario played out in the working world. One finding here also points to the problem that many employers may have a higher opinion of their capabilities than they actually deserve. The survey specifically references perceived damage to brands through social media posting by the young, and showed that 48% of managers are worried about how younger workers interact with social networks.

It even says the evidence is well-founded, claiming that the young are addicted to social media. In practice, however, that evidence seems rather thin. For example, only 13% of young workers say they regularly log in and post to social media while at work, and only 21% do not worry whether their postings might affect their employers. One finding that is more worrying is that 18% are willing to acknowledge their posts might compromise their employer’s security.

A classic example of assumption overruling evidence is the fact that 67% of managers believe young workers click on suspicious or unknown links (the classic access route for hackers), while 58% of managers suspect that they copy files to USB sticks or send them in their own emails. The practical response to that latter one is simple - show me a senior manager that has NOT done that at least once!

The evidence is actually to the contrary. The survey shows only 10% have clicked on a suspicious link – a sign that the young have probably all been bitten by that one long before they start work and have developed a good nose for that kind of trouble – and only 7% have ever removed data from the company in any way.

Sharing passwords is another potential security issue seen by the old, though only 16% of young workers say they have done it with colleagues. Fascinatingly, 13% say they have shared passwords with managers - a classic say/do hypocrisy in play.

There also has to be some doubt about password sharing as a long-term issue. It is quite possible that security technology will take us past the need for passwords in the not too distant future. Centrify’s quid pro quo in promoting this survey is, at least in part, to move users beyond the world of multiple passwords to single sign-on and multiple forms of both user and device authentication.

Managers - the pot/kettle/black scenario

It almost goes without saying that the survey also discovered one important fact – on many occasions managers’ behaviour is actually worse than the young workers they so readily condemn. For example, 15% of managers admitted to sharing passwords. More ominously, 5% of managers admit to dabbling in the Dark Web, downloading hacking tools and/or sending ransomware to someone. Only 2% of young workers say they have done this

What else? Oh yes, twice as many managers (18% of them) admit to having clicked on suspicious web-page links, which highlights an interesting level of hypocrisy given that 24% of them reckon taking malware onboard is their single biggest security risk. Other examples included removal of data from the company (twice as many at 15%) and logging on to dodgy websites (14% compared to 7%). They also play more games and gamble online on work devices.

The survey’s authors use an apposite choice of words to sum up this situation:

Managers’ failure to lead by example were numerous...This shows us that decision makers are not practicing what they preach... In many cases, managers are more guilty of risky behaviour.

The corollary of this is seen in another survey finding – that some 20% of managers are failing to communicate, or even create, clear security guidelines or policies for staff, especially as part of the on-boarding programme. Another 40% said they had policies and guidelines, but that they could be better. This would seem to demonstrate that the penny has not dropped that there can be a significant difference between the hat-tipping approach of `having a policy’ and `having an up-to-date, recently reviewed and effective policy’.

My take

It seems fair to suggest that the young have developed, and continue to develop, their own rules and approaches to what constitutes good security based on the knowledge gained by having grown up with the technology and its capabilities. Like people of my age and the telephone, they have grown up with this tech and have never known a time before it. So they are not scared of it.

When I was a kid we were one of the first families to have a telephone and I remember the fear on the faces of neighbours when I was sent round to tell them there as a call for them. It must mean death and destruction at the very least. The same can now be perceived in the reported attitudes of senior decision makers, despite the evidence that they neatly forget: they often behave even more badly themselves.

Some years ago now I came up with the term `collective capitalism’, that there is nothing wrong with the concept of making a profit, but that the benefits of that profit should have a far wider impact than just the shareholders. The people and organisations that contributed to the creation of that profit – and contributed to the well-being of wider society deserve a more inclusive share. Maybe the approach of young employees to the technology, its relationship to security, and to business transformation in general, will be better suited to delivering it.